Brand Impersonation: Vanguard

calendar Apr 11, 2025  ·
Share on: linkedin copy

Detects inbound messages from senders using Vanguard-like display names or domains, excluding legitimate Vanguard domains and authenticated communications. Additional checks ensure the sender is not from trusted organizational domains or high-trust sender domains with proper authentication.

Sublime rule (View on GitHub)

 1name: "Brand Impersonation: Vanguard"
 2description: "Detects inbound messages from senders using Vanguard-like display names or domains, excluding legitimate Vanguard domains and authenticated communications. Additional checks ensure the sender is not from trusted organizational domains or high-trust sender domains with proper authentication."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    // display name contains Vanguard
 9    (
10      strings.ilike(strings.replace_confusables(sender.display_name),
11                    '*vanguard*'
12      )
13      // levenshtein distance similar to Vanguard
14      or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
15                              'vanguard'
16      ) <= 1
17      // sender domain contains Vanguard
18      or strings.ilike(strings.replace_confusables(sender.email.domain.domain),
19                       '*vanguard*'
20      )
21    )
22  )
23  and (
24    (
25      any(beta.ml_topic(body.current_thread.text).topics,
26          .name in (
27            "Security and Authentication",
28            "Secure Message",
29            "Financial Communications"
30          )
31          and .confidence == "high"
32      )
33      or any(beta.ml_topic(beta.ocr(beta.message_screenshot()).text).topics,
34             .name in (
35               "Security and Authentication",
36               "Secure Message",
37               "Financial Communications"
38             )
39             and .confidence == "high"
40      )
41    )
42    and (
43      any(ml.nlu_classifier(body.current_thread.text).intents,
44          .name == "cred_theft" and .confidence == "high"
45      )
46      or any(ml.nlu_classifier(beta.ocr(beta.message_screenshot()).text).intents,
47             .name == "cred_theft" and .confidence == "high"
48      )
49    )
50  )
51  
52  // and the sender is not in org_domains or from Vanguard domains and passes auth
53  and not (
54    sender.email.domain.root_domain in $org_domains
55    or (
56      sender.email.domain.root_domain in (
57        "vanguard.com",
58        "vanguardcharitable.org", // philanthropic giving arm
59        "vanguardmexico.com",
60        "vanguardcanada.ca",
61        "vanguard.co.uk",
62        "vanguard.com.au",
63        "vanguard.com.hk",
64        "vanguardinvestor.co.uk",
65        "vanguardretirement-mail.com",
66        "e-vanguard.com",
67        "e-vanguardcharitable.org",
68        "feedback-vanguard.com",
69        "m-vanguard.com",
70        "investordelivery.com",
71        "retsupport.com"
72      )
73      and headers.auth_summary.dmarc.pass
74    )
75  )
76  // and the sender is not from high trust sender root domains
77  and (
78    (
79      sender.email.domain.root_domain in $high_trust_sender_root_domains
80      and not headers.auth_summary.dmarc.pass
81    )
82    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
83  )
84  and not profile.by_sender().solicited  
85
86attack_types:
87  - "BEC/Fraud"
88  - "Callback Phishing"
89  - "Credential Phishing"
90  - "Extortion"
91  - "Malware/Ransomware"
92  - "Spam"
93tactics_and_techniques:
94  - "Impersonation: Brand"
95detection_methods:
96  - "Natural Language Understanding"
97  - "Header analysis"
98  - "Sender analysis"
99id: "3bd048fe-5b3e-5050-b0d6-669653e14d9a"
to-top